fierce域名扫描工具

fierce可以查询域名下的DNS，以及子域名和IP地址信息。

打开终端工具，输入fierce -h，即可看到fierce使用帮助： 

root@kali:~# fierce -h
fierce (C) Copywrite 2006,2007 - By RSnake at http://ha.ckers.org/fierce/

    Usage: fierce [-dns example.com] [OPTIONS]

Overview:
    Fierce is a semi-lightweight scanner that helps locate non-contiguous
    IP space and hostnames against specified domains.  It's really meant
    as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all 
    of those require that you already know what IP space you are looking 
    for.  This does not perform exploitation and does not scan the whole 
    internet indiscriminately.  It is meant specifically to locate likely 
    targets both inside and outside a corporate network.  Because it uses 
    DNS primarily you will often find mis-configured networks that leak 
    internal address space. That's especially useful in targeted malware.

Options:
    -connect    Attempt to make http connections to any non RFC1918
        (public) addresses.  This will output the return headers but
        be warned, this could take a long time against a company with
        many targets, depending on network/machine lag.  I wouldn't
        recommend doing this unless it's a small company or you have a
        lot of free time on your hands (could take hours-days).  
        Inside the file specified the text "Host:\n" will be replaced
        by the host specified. Usage:

    fierce -dns example.com -connect headers.txt

    -delay        The number of seconds to wait between lookups.
    -dns        The domain you would like scanned.
    -dnsfile      Use DNS servers provided by a file (one per line) for
                reverse lookups (brute force).
    -dnsserver    Use a particular DNS server for reverse lookups 
        (probably should be the DNS server of the target).  Fierce
        uses your DNS server for the initial SOA query and then uses
        the target's DNS server for all additional queries by default.
    -file        A file you would like to output to be logged to.
    -fulloutput    When combined with -connect this will output everything
        the webserver sends back, not just the HTTP headers.
    -help        This screen.
    -nopattern    Don't use a search pattern when looking for nearby
        hosts.  Instead dump everything.  This is really noisy but
        is useful for finding other domains that spammers might be
        using.  It will also give you lots of false positives, 
        especially on large domains.
    -range        Scan an internal IP range (must be combined with 
        -dnsserver).  Note, that this does not support a pattern
        and will simply output anything it finds.  Usage:

    fierce -range 111.222.333.0-255 -dnsserver ns1.example.co

    -search        Search list.  When fierce attempts to traverse up and
        down ipspace it may encounter other servers within other
        domains that may belong to the same company.  If you supply a 
        comma delimited list to fierce it will report anything found.
        This is especially useful if the corporate servers are named
        different from the public facing website.  Usage:

    fierce -dns examplecompany.com -search corpcompany,blahcompany 

        Note that using search could also greatly expand the number of
        hosts found, as it will continue to traverse once it locates
        servers that you specified in your search list.  The more the
        better.
    -suppress    Suppress all TTY output (when combined with -file).
    -tcptimeout    Specify a different timeout (default 10 seconds).  You
        may want to increase this if the DNS server you are querying
        is slow or has a lot of network lag.
    -threads  Specify how many threads to use while scanning (default
      is single threaded).
    -traverse    Specify a number of IPs above and below whatever IP you
        have found to look for nearby IPs.  Default is 5 above and 
        below.  Traverse will not move into other C blocks.
    -version    Output the version number.
    -wide        Scan the entire class C after finding any matching
        hostnames in that class C.  This generates a lot more traffic
        but can uncover a lot more information.
    -wordlist    Use a seperate wordlist (one word per line).  Usage:

    fierce -dns examplecompany.com -wordlist dictionary.txt
root@kali:~# 

使用：fierce [-dns example.com] [选项]

例如：fierce -dns google.com

root@kali:~# fierce -dns google.com
DNS Servers for google.com:
        ns2.google.com
        ns4.google.com
        ns1.google.com
        ns3.google.com

Trying zone transfer first...
        Testing ns2.google.com
                Request timed out or transfer not allowed.
        Testing ns4.google.com
                Request timed out or transfer not allowed.
        Testing ns1.google.com
                Request timed out or transfer not allowed.
        Testing ns3.google.com
                Request timed out or transfer not allowed.

Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force

Checking for wildcard DNS...
Nope. Good.
Now performing 2280 test(s)...
172.217.160.100 academico.google.com
172.217.160.109 accounts.google.com
172.217.160.78  admin.google.com
172.217.24.14   ads.google.com
172.217.24.14   ai.google.com
74.125.204.139  alerts.google.com
74.125.204.113  alerts.google.com
74.125.204.100  alerts.google.com
74.125.204.138  alerts.google.com
74.125.204.102  alerts.google.com
74.125.204.101  alerts.google.com
172.217.24.4    ap.google.com
64.233.189.139  apps.google.com
64.233.189.100  apps.google.com
64.233.189.101  apps.google.com
64.233.189.138  apps.google.com
64.233.189.102  apps.google.com
64.233.189.113  apps.google.com
172.217.160.100 asia.google.com
216.58.200.46   billing.google.com
46.82.174.68    blog.google.com
172.217.24.14   business.google.com
64.233.189.113  calendar.google.com
64.233.189.138  calendar.google.com
64.233.189.102  calendar.google.com
64.233.189.100  calendar.google.com
64.233.189.139  calendar.google.com
64.233.189.101  calendar.google.com
172.217.160.110 careers.google.com
64.233.189.102  catalog.google.com
64.233.189.100  catalog.google.com
64.233.189.139  catalog.google.com
64.233.189.138  catalog.google.com
64.233.189.113  catalog.google.com
64.233.189.101  catalog.google.com
74.125.23.101   chat.google.com
74.125.23.113   chat.google.com
74.125.23.139   chat.google.com
74.125.23.102   chat.google.com
74.125.23.138   chat.google.com
74.125.23.100   chat.google.com
216.58.200.46   classroom.google.com
172.217.27.142  code.google.com
203.208.41.128  corp.google.com
74.125.204.138  d.google.com
74.125.204.101  d.google.com
74.125.204.100  d.google.com
74.125.204.139  d.google.com
74.125.204.102  d.google.com
74.125.204.113  d.google.com
216.58.200.238  design.google.com
74.125.23.139   developer.google.com
74.125.23.138   developer.google.com
74.125.23.113   developer.google.com
74.125.23.102   developer.google.com
74.125.23.101   developer.google.com
74.125.23.100   developer.google.com
74.125.23.102   developers.google.com
74.125.23.101   developers.google.com
74.125.23.113   developers.google.com
74.125.23.100   developers.google.com
74.125.23.138   developers.google.com
74.125.23.139   developers.google.com
74.125.23.101   dir.google.com
74.125.23.113   dir.google.com
74.125.23.100   dir.google.com
74.125.23.102   dir.google.com
74.125.23.138   dir.google.com
74.125.23.139   dir.google.com
74.125.204.139  directory.google.com
74.125.204.102  directory.google.com
74.125.204.113  directory.google.com
74.125.204.101  directory.google.com
74.125.204.100  directory.google.com
74.125.204.138  directory.google.com
172.217.27.142  dns.google.com
64.13.192.74    docs.google.com
172.217.160.78  domains.google.com
172.217.160.100 download.google.com
172.217.160.68  downloads.google.com
74.125.204.138  earth.google.com
74.125.204.100  earth.google.com
74.125.204.101  earth.google.com
74.125.204.113  earth.google.com
74.125.204.102  earth.google.com
74.125.204.139  earth.google.com
216.58.200.46   edu.google.com
74.125.204.100  email.google.com
74.125.204.102  email.google.com
74.125.204.138  email.google.com
74.125.204.113  email.google.com
74.125.204.101  email.google.com
74.125.204.139  email.google.com
74.125.204.102  enterprise.google.com
74.125.204.100  enterprise.google.com
74.125.204.101  enterprise.google.com
74.125.204.113  enterprise.google.com
74.125.204.139  enterprise.google.com
74.125.204.138  enterprise.google.com
172.217.27.132  europe.google.com
172.217.160.110 events.google.com
108.170.217.160 feeds.google.com
74.125.204.113  fi.google.com
74.125.204.101  fi.google.com
74.125.204.102  fi.google.com
74.125.204.100  fi.google.com
74.125.204.139  fi.google.com
74.125.204.138  fi.google.com
74.125.204.138  files.google.com
74.125.204.101  files.google.com
74.125.204.102  files.google.com
74.125.204.113  files.google.com
74.125.204.139  files.google.com
74.125.204.100  files.google.com
216.58.200.46   foto.google.com
172.217.160.78  fotos.google.com
74.125.204.100  games.google.com
74.125.204.138  games.google.com
74.125.204.101  games.google.com
74.125.204.102  games.google.com
74.125.204.113  games.google.com
74.125.204.139  games.google.com
172.217.160.68  gd.google.com
172.217.160.110 gg.google.com
74.125.204.113  gmail.google.com
74.125.204.138  gmail.google.com
74.125.204.100  gmail.google.com
74.125.204.139  gmail.google.com
74.125.204.101  gmail.google.com
74.125.204.102  gmail.google.com
74.125.203.113  group.google.com
74.125.203.100  group.google.com
74.125.203.139  group.google.com
74.125.203.101  group.google.com
74.125.203.138  group.google.com
74.125.203.102  group.google.com
74.125.23.102   groups.google.com
74.125.23.138   groups.google.com
74.125.23.139   groups.google.com
74.125.23.113   groups.google.com
74.125.23.100   groups.google.com
74.125.23.101   groups.google.com
172.217.160.100 gw1.google.com
74.125.23.138   help.google.com
74.125.23.102   help.google.com
74.125.23.113   help.google.com
74.125.23.100   help.google.com
74.125.23.139   help.google.com
74.125.23.101   help.google.com
172.217.160.78  home.google.com
172.217.27.131  id.google.com
216.58.200.238  images.google.com
74.125.23.100   investor.google.com
74.125.23.102   investor.google.com
74.125.23.138   investor.google.com
74.125.23.113   investor.google.com
74.125.23.101   investor.google.com
74.125.23.139   investor.google.com
74.125.23.113   investors.google.com
74.125.23.100   investors.google.com
74.125.23.139   investors.google.com
74.125.23.102   investors.google.com
74.125.23.101   investors.google.com
74.125.23.138   investors.google.com
172.217.160.110 ipv4.google.com
74.125.23.102   isp.google.com
74.125.23.138   isp.google.com
74.125.23.113   isp.google.com
74.125.23.100   isp.google.com
74.125.23.139   isp.google.com
74.125.23.101   isp.google.com
74.125.204.100  jobs.google.com
74.125.204.139  jobs.google.com
74.125.204.102  jobs.google.com
74.125.204.101  jobs.google.com
74.125.204.113  jobs.google.com
74.125.204.138  jobs.google.com
203.208.41.78   kh.google.com
203.208.41.69   kh.google.com
203.208.41.64   kh.google.com
203.208.41.72   kh.google.com
203.208.41.73   kh.google.com
203.208.41.66   kh.google.com
203.208.41.67   kh.google.com
203.208.41.70   kh.google.com
203.208.41.68   kh.google.com
203.208.41.71   kh.google.com
203.208.41.65   kh.google.com
74.125.23.100   labs.google.com
74.125.23.138   labs.google.com
74.125.23.139   labs.google.com
74.125.23.113   labs.google.com
74.125.23.102   labs.google.com
74.125.23.101   labs.google.com
216.239.32.58   ldap.google.com
64.233.189.100  local.google.com
64.233.189.113  local.google.com
64.233.189.102  local.google.com
64.233.189.139  local.google.com
64.233.189.138  local.google.com
64.233.189.101  local.google.com
216.58.200.43   m.google.com
74.125.23.19    mail.google.com
74.125.23.17    mail.google.com
74.125.23.83    mail.google.com
74.125.23.18    mail.google.com
216.58.200.238  map.google.com
172.217.160.110 maps.google.com
74.125.204.138  mars.google.com
74.125.204.113  mars.google.com
74.125.204.139  mars.google.com
74.125.204.100  mars.google.com
74.125.204.101  mars.google.com
74.125.204.102  mars.google.com
172.217.160.75  mobile.google.com
74.125.204.102  moon.google.com
74.125.204.113  moon.google.com
74.125.204.101  moon.google.com
74.125.204.138  moon.google.com
74.125.204.139  moon.google.com
74.125.204.100  moon.google.com
74.125.23.138   movies.google.com
74.125.23.102   movies.google.com
74.125.23.113   movies.google.com
74.125.23.101   movies.google.com
74.125.23.100   movies.google.com
74.125.23.139   movies.google.com
172.217.160.78  mt.google.com
74.125.204.138  music.google.com
74.125.204.101  music.google.com
74.125.204.100  music.google.com
74.125.204.139  music.google.com
74.125.204.113  music.google.com
74.125.204.102  music.google.com
172.217.160.78  news.google.com
64.233.183.140  newsfeed.google.com
31.13.85.16     newsgroups.google.com
64.233.183.140  nntp.google.com
216.239.32.10   ns1.google.com
216.239.32.11   ns.google.com
216.239.32.15   time1.google.com
216.239.32.10   ns.google.com
216.239.34.10   ns2.google.com
216.239.36.10   ns3.google.com
216.239.36.11   hedns1.google.com
216.239.38.10   ns4.google.com
74.125.204.139  partners.google.com
74.125.204.101  partners.google.com
74.125.204.113  partners.google.com
74.125.204.102  partners.google.com
74.125.204.100  partners.google.com
74.125.204.138  partners.google.com
172.217.160.78  photos.google.com
64.233.189.100  pki.google.com
64.233.189.113  pki.google.com
64.233.189.102  pki.google.com
64.233.189.101  pki.google.com
64.233.189.139  pki.google.com
64.233.189.138  pki.google.com
216.58.200.238  privacy.google.com
64.233.189.100  products.google.com
64.233.189.138  products.google.com
64.233.189.102  products.google.com
64.233.189.101  products.google.com
64.233.189.139  products.google.com
64.233.189.113  products.google.com
216.58.200.238  profiles.google.com
172.217.24.14   registry.google.com
172.217.27.142  relay.google.com
74.125.204.138  research.google.com
74.125.204.139  research.google.com
74.125.204.101  research.google.com
74.125.204.100  research.google.com
74.125.204.113  research.google.com
74.125.204.102  research.google.com
172.217.160.110 sb.google.com
74.125.204.139  search.google.com
74.125.204.138  search.google.com
74.125.204.102  search.google.com
74.125.204.101  search.google.com
74.125.204.113  search.google.com
74.125.204.100  search.google.com
74.125.204.139  security.google.com
74.125.204.100  security.google.com
74.125.204.101  security.google.com
74.125.204.113  security.google.com
74.125.204.138  security.google.com
74.125.204.102  security.google.com
74.125.204.100  services.google.com
74.125.204.102  services.google.com
74.125.204.138  services.google.com
74.125.204.101  services.google.com
74.125.204.139  services.google.com
74.125.204.113  services.google.com
74.125.204.101  shopping.google.com
74.125.204.138  shopping.google.com
74.125.204.139  shopping.google.com
74.125.204.102  shopping.google.com
74.125.204.100  shopping.google.com
74.125.204.113  shopping.google.com
64.233.189.100  sms.google.com
64.233.189.101  sms.google.com
64.233.189.139  sms.google.com
64.233.189.138  sms.google.com
64.233.189.113  sms.google.com
64.233.189.102  sms.google.com
74.125.204.101  sprint.google.com
74.125.204.113  sprint.google.com
74.125.204.100  sprint.google.com
74.125.204.139  sprint.google.com
74.125.204.138  sprint.google.com
74.125.204.102  sprint.google.com
216.58.200.46   store.google.com
172.217.24.14   support.google.com
74.125.204.125  talk.google.com
216.239.35.8    time3.google.com
216.239.35.4    time2.google.com
216.239.35.0    time1.google.com
216.239.35.12   time4.google.com
216.239.35.12   time.google.com
216.239.35.4    time.google.com
216.239.35.8    time.google.com
216.239.35.0    time.google.com
203.208.40.55   tools.google.com
203.208.40.47   tools.google.com
203.208.40.63   tools.google.com
203.208.40.56   tools.google.com
74.125.23.138   tv.google.com
74.125.23.113   tv.google.com
74.125.23.102   tv.google.com
74.125.23.101   tv.google.com
74.125.23.139   tv.google.com
74.125.23.100   tv.google.com
74.125.204.113  uol.google.com
74.125.204.101  uol.google.com
74.125.204.100  uol.google.com
74.125.204.102  uol.google.com
74.125.204.139  uol.google.com
74.125.204.138  uol.google.com
216.58.200.239  upload.google.com
74.125.23.101   video.google.com
74.125.23.139   video.google.com
74.125.23.102   video.google.com
74.125.23.113   video.google.com
74.125.23.100   video.google.com
74.125.23.138   video.google.com
74.125.203.100  videos.google.com
74.125.203.113  videos.google.com
74.125.203.102  videos.google.com
74.125.203.138  videos.google.com
74.125.203.139  videos.google.com
74.125.203.101  videos.google.com
172.217.160.110 voice.google.com
64.9.224.68     .google.com
64.9.224.69     .google.com
64.9.224.70     .google.com
74.125.204.100  w.google.com
74.125.204.139  w.google.com
74.125.204.113  w.google.com
74.125.204.102  w.google.com
74.125.204.101  w.google.com
74.125.204.138  w.google.com
108.177.97.92   wallet.google.com
72.14.224.25    wam.google.com
72.14.224.24    wam.google.com
74.125.204.138  wap.google.com
74.125.204.101  wap.google.com
74.125.204.113  wap.google.com
74.125.204.139  wap.google.com
74.125.204.102  wap.google.com
74.125.204.100  wap.google.com
74.125.23.101   web.google.com
74.125.23.102   web.google.com
74.125.23.139   web.google.com
74.125.23.100   web.google.com
74.125.23.113   web.google.com
74.125.23.138   web.google.com
69.63.186.30    webdocs.google.com
74.125.204.139  webmaster.google.com
74.125.204.102  webmaster.google.com
74.125.204.113  webmaster.google.com
74.125.204.101  webmaster.google.com
74.125.204.138  webmaster.google.com
74.125.204.100  webmaster.google.com
31.13.85.16     websites.google.com
216.239.34.22   whois.google.com
64.233.189.138  work.google.com
64.233.189.113  work.google.com
64.233.189.100  work.google.com
64.233.189.139  work.google.com
64.233.189.102  work.google.com
64.233.189.101  work.google.com
74.125.23.139   ww.google.com
74.125.23.101   ww.google.com
74.125.23.102   ww.google.com
74.125.23.100   ww.google.com
74.125.23.113   ww.google.com
74.125.23.138   ww.google.com
69.171.244.11   www.google.com

Subnets found (may want to probe here using nmap or unicornscan):
        108.170.217.0-255 : 1 hostnames found.
        108.177.97.0-255 : 1 hostnames found.
        172.217.160.0-255 : 22 hostnames found.
        172.217.24.0-255 : 6 hostnames found.
        172.217.27.0-255 : 5 hostnames found.
        203.208.40.0-255 : 4 hostnames found.
        203.208.41.0-255 : 12 hostnames found.
        216.239.32.0-255 : 5 hostnames found.
        216.239.34.0-255 : 2 hostnames found.
        216.239.35.0-255 : 8 hostnames found.
        216.239.36.0-255 : 2 hostnames found.
        216.239.38.0-255 : 1 hostnames found.
        216.58.200.0-255 : 12 hostnames found.
        31.13.85.0-255 : 2 hostnames found.
        46.82.174.0-255 : 1 hostnames found.
        64.13.192.0-255 : 1 hostnames found.
        64.233.183.0-255 : 2 hostnames found.
        64.233.189.0-255 : 48 hostnames found.
        64.9.224.0-255 : 3 hostnames found.
        69.171.244.0-255 : 1 hostnames found.
        69.63.186.0-255 : 1 hostnames found.
        72.14.224.0-255 : 2 hostnames found.
        74.125.203.0-255 : 12 hostnames found.
        74.125.204.0-255 : 151 hostnames found.
        74.125.23.0-255 : 94 hostnames found.

Done with Fierce scan: http://ha.ckers.org/fierce/
Found 399 entries.

Have a nice day.

 

转载于:https://my.oschina.net/u/2410914/blog/2960644